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Abstract 



CN 

J> ' Quantum key distribution(QKD) makes it possible for two remotely sep- 

CN ' 

arated parties do unconditionally secure communications. In principle, the 



security is guaranteed by the uncertainty principle in quantum mechanics: if 



in 
o 

any third party watches the key, she must disturbs the quantum bits there- 
in 

O fore she has a risk to be detected. However, the security in practice is quite 

+-> ' 

£h ' different, since many of the assumptions of the ideal case do not exist. Our 



presently existing secure proof of QKD protocols require the perfect random 
number generators. Actually, we can never have perfect generators in the real 

X' 

' world. Here we show that the imperfect random numbers can also be used 

for secure QKD, if they satisfy certain explicit condition. 
Quantum key distribution(QKD) has abstracted strong interests of scientists since it makes 
it possible to set up unconditional secure key between two remote parties by principles of 
quantum mechanics. However, the unconditional security in principle does not necessarily 
give rise to the unconditional security in practice, where many non-ideal factors occur. "The 
most important question in quantum cryptography is to determine how secure it really is" 
[1]. Different from the assumed ideal situation, there are many imperfections in realizing 
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anything in the real world. Consider the case of QKD. These imperfections may include the 
channel noise, small errors in source and devices, biased random number generators and so 
on. So far, the security proof with channel noise have been given by a number of authors 
[2,3,5-12]. The security was then extended to the case including small errors in source and 
devices [13,14]. However, the effect of imperfection of random numbers is still unknown. 
This causes problems in practice, though it is many people's belief that sufficiently good 
random numbers must also work very well. However, if the security is based on such a 
belief, then it is still conditional security instead of the unconditional one and we don't 
know why this belief must be stronger than the beliefs on the assumed complexity of certain 
mathematical problems which are the base of classical key distribution. Therefore a strict 
proof is needed here for unconditional security of QKD in the real world. Without an explicit 
analysis on the effect of imperfect random numbers, we don't know how good is sufficient 
therefore we have no choice but to blindly increase the quality of random number generators. 
This can in principle raise the total cost unlimitedly. No matter how much we have done in 
improving the quality of our random numbers, we still worry the security a little bit, e.g., 
we don't know whether a bias of 1CT 10 or 1CT 30 undermines the security severely. The best 
way to solve the issue is to give an explicit study on the effect of the imperfections with 
certain operational criterion. We show that, a QKD with a good imperfect random number 
generator (IRNG) with certain explicit condition is secure if the same QKD protocol with a 
perfect random number generator(PRNG) is secure. 

We start from the definition of a PRNG and quantifying of an IRNG. Consider the case 
that the generator produces an u-bit string, s. There are 2 W possible different strings in all, 
we define all u string as set {si,i = 1,2- • -2 W }. An o;-bit PRNG is defined as a generator 
which generates every string with equal probability over {sj}, i.e., every string in {s^} have 
the same probability, 2~ w to be generated. If a generator generates u— bit strings with a 
no n- uniform probability distribution over {si}, it is an imperfect random number generator, 
IRNG. Specifically, we quantify the quality of an oo— bit random number generator by the 
value of entropy: Suppose it generates string s$ with probability pi, the entropy 
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H ( S ) = - Pi lo &2Pi- (!) 
i=l 

In particular, we denote R^fi for an IRNG which generates a;— bit binary strings with entropy 
— J2Pi^°&2Pi = 0- I 11 case °f PRNG, the probability distribution is uniform and the above 
function reaches its maximum value uj. Given an IRNG, the entropy is always less than 
uj. Here we shall consider the case of a good IRNG, of which the entropy value is uj — e. 
In practice, it is the case that Alice and Bob assume that they are using a perfect random 
string but actually they are using an imperfect random string which is a little bit different 
from the perfect one. It can also be the case that they only know the lower bound of the 
quality of their generator, say H(s) > uj — e, but they don't know the explicit pattern of 
the strings and they have no way to change the generator to a perfect one. However, we 
should assume the worst case that Eavesdropper (Eve) knows the pattern of their string 
though they themselves don't know it. For example, a very smart Eve could find out the 
pattern from the history of the data. Also, in QKD, we assume Eve knows the protocol itself. 
This means Eve knows the specific status of all the devices involved, including the random 
number generators. Therefore, given the existing security proofs with PRNGs, we still worry 
a little bit that Eve could take advantage of her knowledge about the IRNG being used in 
the protocol and obtain a larger amount of information than the theoretical upper bound in 
the case PRNGs are used. Our purpose is to see whether Eve can obtain significantly large 
information to the final key generated by certain QKD protocol with good IRNG, if Eve's 
information to the final key by the same protocol with PRNG is in principle bounded by a 
very small value. In all existing QKD protocols, both Alice and Bob needs some random 
numbers for the task. For example, in BB84 protocol [4], Alice needs the random numbers 
to prepare the initial quantum state |0) or |1) for each qubits; he needs to choose a subset 
of the qubits for the error test and he also needs random numbers to make error correction, 
privacy amplification finally. For all these issues, Alice only needs to prepare an uj a — bit 
binary random string s in the beginning, if the protocol needs u a random bits in all at 
Alice's side. In carrying out the protocol, Alice just reads s from left to right, whenever a 



random bit is needed. Bob also needs random numbers to determine his measurement bases 
({|0),|1)} or {± = 775 ( 1 0) ± |1))})- We at this moment assume Bob has perfect random 
numbers while Alice does not. After we complete the proof of our Theorem, we extend it 
to the case that Bob does not have perfect random numbers either. We shall first show the 
following theorem: 

Theorem: Given any QKD protocol P , suppose Bob always uses a PRNG and Eve knows 
what random generators are used by Alice and Bob, if Eve's information is bounded by eo in 
the case that Alice uses a PRNG, then Eve's information to the k— bit final key is bounded 
by 

e + (4k + 1) + 0(ef ) + 0(e A ) 

to the final key in the case Alice uses an IRNG, Ru> a , eA - 

For clarity let us first recall the theorem of Holevo bound [15,16]. 

Clare announces the following facts: He will Alice an uj a — bit state which can be either p 
or pi, with equal probability. He sets his bit value X = if he passes po to Alice, and 
X = 1 if he passes pi to Bob. It's known to all parties that p = (2~ Wa ) J2i=i \ s i)( s i\ an d 
pi = X)i=i Pi\ s i) ( s i\- State \si) is a product state of uj a qubits with each of them being 
prepared in {|0), |1) basis. String gives the full information of state of each qubits, e.g., if 
Sj = 01010011 ■ • ■ 10, then \sj) = |01010011 ■ • • 10). In such a case, using Holevo's theorem 
[15] we find that Alice's information to bit X is bounded by 

h = H{p) - ^ - l -H(p) (2) 

and p = pi In fact, in this case, if Alice directly observes each qubits in { |0) , 1 1) } basis she can 
reach the upper bound of information to X. With a little bit calculation, one immediately 
obtain the fact that 

h < e /2. (3) 

In what follows we shall show that, with the restriction by Holevo's theorem, Eve's informa- 
tion to the final key must be negligible in a QKD with good IRNG R UJa ^ A , if her information 
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is in principle negligible in the same QKD protocol with perfect random numbers. We now 
consider the following game 

Game G: Clare announces that he will pass Alice an u a — bit state which can be ei- 
ther p or pi, with equal probability, and he sets his bit value X = if he passes 
p = (2^°) J2ili \ s i)( s i\ to Alice, and X = 1 if he passes state pi = Y,%=iPi\ s i){ s i\- to 
Bob. Alice measures each qubits of the state from Clare in {|0), |1)} basis and obtain a 
classical string s. Using s as the random string Alice runs QKD protocol P with Bob. At 
this moment Eve attacks the protocol just as if she were a real eavesdropper. If the protocol 
does not pass the error test, Alice gives it up and uses string s to obtain the information 
about X, in such a case she can reach the Holevo bound. If the protocol passes the error 
test, they continue and set up a A: — bit final key Y and then Alice announces it. In such 
a case, Eve can obtain information about X by reading the final key, and Eve reports her 
information about X to Alice and Alice uses this as her own information about X. Obvi- 
ously, Eve's information about X must also be bounded by h, otherwise the result of our 
game violates Holevo's theorem. 

Suppose scheme T is the optimal attack to QKD protocol P with imperfect random 
string whose Shannon entropy is tA (but T is not necessarily optimal to the same protocol 
with perfect random string). Suppose Eve attacks Y by scheme T. Without any loss of 
generality, T has the following property: if string s used by Alice is perfectly random, Eve 
acquires information e' about Y. If s is from generator R Wat e A) Eve's information about the 
final key is optimized, we denote it by rj in such a case. In our game Ru a ,e A corresponds to the 
case X — 1. Intuitively, rj should not be too large given e' being very small, since otherwise 
after Alice announces Y, Eve may easily see whether her actual information about Y prior 
to the announcement is rj or e 1 therefore she can access an unreasonably large amount of 
information about Clare's bit X. After attack T, Eve has 2 sets of probability distribution 
P = {Pi},Q = {Qi} about the k— bit final key Y, conditional on X = 0,1, respectively. 
Before reading final key Y, these two sets of distribution about Y have equal probability. 
More specifically, after reading the final key Y, the two distributions P and Q can be 
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different. Therefore probability of X = and X = 1 can also be different after Eve reads 
Y . That is to say, in reading Y , Eve may obtain different probabilities for the probability 
distribution P and Q. 

For simplicity, the two probabilities for a specific possible final key, Yj. Consider one possible 
way for Alice to violate the Holevo's theorem: If the final key is not Yj, she disregard the 
QKD result just uses string s itself and obtain information about X in the amount of Holevo 
bound. If the final key is Yj, she announces Yj and uses Eve's information about X as her 
own information. Therefore, Eve's two probabilities (Pj,Qj) about any Yj cannot be too 
different, otherwise Alice has non-zero chance to violate Holevo's theorem. Specifically, we 
have the following restriction 

I E (X : Yj) = 1 - l -H{P'j) - l -H{Q'j) < h. (4) 

Here Pj = p P ^ Q ■ , Q'j = p Q ^ Q ■ and H(t) = —t\og 2 t — (1 — t) log 2 t. For simplicity we shall 
use log instead of log 2 hereafter. The above formula is equivalent to 

, E (X : ^ 1 + ^l„ g ^ + I±|l„ g I±i< A . (5) 
Here 8j is defined by Sj = Qj/Pj — 1 — Qj/Pj — 1. After a further reduction we obtain 



If Sj > 0, we have 



Si (1 + Si 



I E (X:Yj)>- — + v " 

if Sj < 0, we have 



2(2 + 5j) (2 + Sj) [2 + Sj 2(2 + ^) 2 j 



S 3 S 



2 



> (7) 

-2(2 + ^)3' () 



Ie[X ■ Yj) ~ -j2T5-)^ /2 + ^ /8) + (2 + <5,) 2 " 8(2 + ^.) 2 " 8(2 + 5 3 y (8) 
In any case, we have 

\5j\ < |A = 4[1 + 0(v^)]v^ (9) 
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for any j, given the restriction of formula (4). With this formula, we can now calculate 
the lower bound of H(Q), the entropy to the whole k— bit final key, given distribution 
Q = {Q = t}. 

H(Q) = H({Pi(l + 5,}) = - ]T Pi(l + 5 t ) log[P,(l + 5,)} 

i 

>(l-|A|)//(P)-(l + |A|)log(l + |A|) 
> k-e' -{4k + l)[l + 0{Vh)]Vh-0{h). (10) 

Since h < we have 

rj <e' + (4k + l)[l + 0(Vh)]Vh-0(h). (11) 

Note that we always have e' < eo, since eo is the upper bound of any attacks to a QKD 
protocol with PRNG, e' is the information through T, which is an optimized attack to QKD 
with IRNG, but not necessarily also an optimized attack to the same QKD protocol with 
PRNG. Therefore we complete the proof of our theorem by replacing e' with e . Now 
we consider the case that Bob's random string is also imperfect, say, he uses an IRNG 
Ru) b ,e B - Since we have already known that Eve's information is bounded by e + (4k + 1)[1 + 
0(Vh)]Vh- 0(h) we the case that Alice uses IRNG and Bob uses PRNG, we now just 
consider game G' where David passes Bob an cub— qubit state \p' ) = Yh=o \ s i)( s i\ if ne se ts 
X = and passes Bob an uj b — qubit state \p[) = Yh=q \ s i)i s i\ if ne se ts X = and passes 
Bob an oo b — qubit state \p' l ) = J2i=oPi\si)(si\ if he sets X — 1. Similarly to the proof for our 
theorem, we have the following corollary: Suppose Eve always knows what random number 
generators are used by Alice and Bob in a certain QKD protocol P. If Eve's information is 
upper bounded by e to the final key in the case PRNGs are used, then Eve's information is 
upper bounded by n < e + (4A; + 1) y/e A /2 + (4k + l)^e B /2 + 0(e^ /2 ) + 0(e A ) to the k - bit 
final key in the case Alice uses IRNG Rui a ,e A and Bob uses IRNG Ru b , eB - 
We conclude that, if a QKD protocol is secure with perfect random numbers being used, it 
must be also secure with exponentially small imperfections in the random numbers. Therefore 
perfect random nember generators wchich never exist in the real world are not necessary for 
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secure QKD. 
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